Tuesday, July 31, 2012


The electronic equivalent of a “Paid” stamp?
Credit Card Roulette: Payment Terminals Pwned in Vegas
At least three widely used credit and debit card purchasing terminals in the U.S. and U.K. have vulnerabilities that would allow attackers to install malware on them and sniff card data and PINs.
The vulnerabilities can also be used to make a fraudulent card transaction look like it’s been accepted when it hasn’t been, printing out a receipt to fool a salesclerk into thinking items have been successfully purchased.
Or an attacker can design a hack that would invalidate the chip-and-PIN card system, a security feature that is standard in Europe but only nascent in the U.S. It uses cards embedded with a chip and requires cardholders to enter a PIN to validate a transaction.


Most managers recognize that logging makes it easy to determine who accessed what, when. Do they fully consider the implications of saving some money by turning off the logs?
Oops x 2: lack of logs confounds thorough breach investigation
July 30, 2012 by admin
The Depository Trust and Clearing Corporation realized that employee information – including SSN and financial information – was improperly accessible to other employees on its intranet. But its lack of adequate logging procedures made it impossible for them to determine who may have accessed the data, they report to the New Hampshire Attorney General.

(Related) Auditors look for changes in the volume of transactions as an indication that something has started or stopped. Best Practice then suggests you do something about it! Well done, mystery processor!
When security works: payroll processor prevent$ transactions
July 30, 2012 by admin
Neurocare, Inc. has been notifying some employees after one of their systems was infected by malware and the criminals acquired the firm’s login credentials to its payroll processor account. The credentials were then used to re-route direct deposits for some employees to other accounts.
The scheme was foiled because Neurocare’s unnamed payment processor detected an unusual number (17) of change requests and notified Neurocare promptly. The processor was able to reverse any transactions before they went through, so no money was lost. The IPs of the attackers were provided to the firm by the processor.
Payment processors have gotten bad press at times over their failures. It’s a shame that Neurocare didn’t name this payment processor in their report to the New Hampshire Attorney General’s Office so that they could get some positive coverage. [Agreed Bob]


For your Security manager
Free Android apps could hijack your phone
Those annoying pop-up ads are back. This time, they're on your smartphone, and they're badder than ever. Here's how you can avoid aggressive adware on your mobile device.


For by Business Continuity students. It could happen here...
"BBC reports that a massive power breakdown has hit India for a second day running, leaving more than half the country without power as the northern and eastern grids have both collapsed. The breakdown has hit a large swathe of the country including Delhi, Punjab, Haryana, Uttar Pradesh, Himachal Pradesh and Rajasthan states in the north, and West Bengal, Bihar, Orissa and Jharkhand in the east. Power cuts are a common occurrence in Indian cities because of a fundamental shortage of power and an aging grid. The chaos caused by such cuts has led to protests and unrest on the streets but the collapse of an entire grid is rare — the last time the northern grid failed was in 2001. India's demand for electricity has soared in recent years as its economy has grown but its power infrastructure has been unable to meet the growing needs. In the weeks leading up to the failure, extreme heat had caused power use to reach record levels in New Delhi and on July 30 a line feeding into the Agra-Bareilly transmission section, the 400-kV Bina-Gwalior line, tripped, triggering the collapse. The second grid collapse occurred on 31 July as the Northern, Eastern and North-Eastern power grids of India tripped/failed causing power blackout in 19 states across India. The crisis was allegedly triggered after four states — Rajasthan, Haryana, Punjab and UP — drew much more than their assigned share of power."


Welcome to Behavioral Advertising, the political version.
Dark Money Political Groups Target Voters Based on Their Internet Habits
Lauren Berns was browsing Talking Points Memo when he saw an ad with President Obama’s face. “Stop the Reckless Spending,” the ad read, and in smaller print, Paid for by Crossroads GPS. Berns was surprised. Why was Crossroads GPS, a group that powerful Republican strategist Karl Rove helped found,advertising on a liberal-leaning political website? Looking closely at the ad, Berns saw a small blue triangle in the upper-left hand corner. He knew what that meant: this ad wasn’t being shown to every person who read that page. It was being targeted to him in particular. Tax-exempt groups like Crossroads GPS have become among the biggest players in this year’s election. They’re often called “dark money” groups, because they can raise accept unlimited amounts of money and never have to disclose their donors.
These groups are spending massively on television spots attacking different candidates. These ads are often highly publicized and get plenty of media attention.
But these same dark money groups are also quietly expanding their online advertising efforts, using sophisticated targeting tactics to send their ads to specific kinds of people.
Who they’re targeting, and what data they’re using, is secret.


We have these on tollways. “We know where you get on, we know where you get off, that tells us how much you owe.” But, how long do they keep that information? Who gets to see it? Could be the start of an interesting dialog.
Automatic License Plate Readers: A Threat To Americans’ Privacy
July 31, 2012 by Dissent
The ACLU’s Nationwide Public Records Request
In July 2012, American Civil Liberties Union affiliates in 38 states sent requests to local police departments and state agencies that demand information on how they use automatic license plate readers (ALPR) to track and record Americans’ movements.
On the same day, the ACLU and the ACLU of Massachusetts filed federal Freedom of Information Act requests with the Departments of Justice, Homeland Security, and Transportation to learn how the federal government funds ALPR expansion nationwide and uses the technology itself.
Read more on ACLU’s blog.


I wonder if Colorado would be interested in following this model here? I know just the guy to run it...
By Dissent, July 30, 2012
From PRC, a new resource for California residents:
Many people consider their health information to be highly sensitive, deserving the strongest protection under the law. Medical records often contain not only personal health-related information – considered by most to be strictly confidential — but also Social Security numbers and dates of birth — the keys to identity theft.
Over the years, the Privacy Rights Clearinghouse has heard from thousands of individuals who feel their medical privacy rights have been violated. There is a great deal of misunderstanding about medical privacy laws and regulations. Most individuals think they have far more legal protection than they actually have.
What are your rights to medical privacy? As it turns out, that is not a simple question to answer. Chances are, you’ve heard of HIPAA, the Health Insurance Portability and Accountability Act. It is a federal law that sets a national baseline standard for the privacy of individually identifiable health information.
But HIPAA only applies to health care providers that conduct certain transactions electronically, health plans, and health care clearinghouses. A great deal of personal medical information exists that is not maintained by HIPAA “covered entities.” An example would be personal medical information provided voluntarily when one participates in an online chat forum for individuals with a specific ailment.
Fortunately for individuals who live in California, state law provides additional medical privacy protections. Today, the PRC has launched a microsite dedicated solely to medical privacy in California. It is available athttps://www.privacyrights.org/california-medical-privacy.
The Fact Sheets posted on the microsite are:
Over time, we will expand the site to include additional Fact Sheets.
For information about health privacy issues not specifically related to California, read these guides on our website:
Do you have a medical privacy question that our Fact Sheets don’t address? Use our Online Complaint Center to get a personalized response from our staff.


“The only constant is change.” Heraclitus (Or maybe Issac Asimov)
Recent Developments — Both in the Courts and in Congress — on the Scope of the Computer Fraud and Abuse Act
July 31, 2012 by admin
Orin Kerr writes:
I’ve blogged a lot on the scope of the Computer Fraud and Abuse Act, and specifically on whether using a computer in violation of a computer use policy or Terms of Service is a federal crime. I’ve been banging the drum urging courts to adopt a narrow interpretations of the Act for a decade, and the question has recently reached several courts of appeals. A lot has been happening on this front recently, so I thought I would bring readers up to speed. To follow this issue, you need to watch all three branches. So let’s start with the pairing of Judiciary/Executive, and then cover the pairing of Legislature/Executive.
Read his commentary on The Volokh Conspiracy.


The future, now that Amazon has given up the fight (which they were never going to win).
July 30, 2012
"Amazon" Laws and Taxation of Internet Sales: Constitutional Analysis
CRS - "Amazon" Laws and Taxation of Internet Sales: Constitutional Analysis, Erika K. Lunder - Legislative Attorney; John R. Luckey - Legislative Attorney, July 26, 2012
  • "As more and more purchases are made over the Internet, states are looking for new ways to collect taxes on these sales. While there is a common misperception that states cannot tax Internet sales, the reality is that they may impose sales and use taxes on such transactions, even when the retailer is outside of the state. However, if the seller does not have a constitutionally sufficient connection (“nexus”) to the state, then the seller is under no enforceable obligation to collect a use tax. While the purchaser is still generally responsible for paying the use tax, the rate of compliance is low. Recent laws, often called “Amazon” laws in reference to the large Internet retailer, represent fresh attempts by the states to capture taxes on Internet sales. States enacting these laws have used two basic approaches. The first is to impose use tax collection responsibilities on retailers who compensate state residents for placing links on the state residents’ websites to the retailer’s website (i.e., online referrals or “click-throughs”). The other is to require remote sellers to provide sales and tax-related information to the state and/or the in-state customers. New York was the first state to enact click-through legislation, and Colorado was the first to pass a notification law. These laws have received significant publicity, in part due to questions about whether they impermissibly impose duties on remote sellers who do not have a sufficient nexus to the state."


Could this be the “baseline” against which other plans are measured?
Republic Wireless reopens $19 service, sells Motorola Defy XT
The heavily hyped service, which promises an all-you-can-eat plan for just $19.99 a month, is finally adding more customers again.


Tools & Techniques for tired eyes...
Most of us spend hours reading on the computer every day, but our computers probably aren’t optimized for reading. The text on our monitors may not be sharp enough or may be too small, especially if we have high-resolution monitors. Websites usually aren’t optimized for reading long-form articles either – they’re cluttered with too many navigation elements, flashing advertisements, and often use text that’s too small.
These tips will help you read text more comfortably everywhere on your Windows computer, from the text in all your programs to articles in your web browser.


Resources: 'cause having your students watch old movies is (sometimes) useful...
At the time of writing there are 3,207 items in the Prelinger Archives, all of which are open to being remixed, sampled and used in any way you see fit.
… There are also collections of films made from Prelinger footage, titled Prelinger Mashups. If nothing more they serve as inspiration as to what can be done with footage like this.


Tools There are bazillions of websites. Find one you like and let these services find the others...
Are you bored of the same old websites? Do you not know what to look at next? Well if that’s the case, then try out a neat web app called Websites Like, which recommends other sites to you, based on a URL or a keyword that you type into their search engine.

No comments: